Summary
When Clerk is used as an OIDC Identity Provider (via OAuth Applications), the /oauth/authorize endpoint strictly honors prompt=login — always showing the sign-in form even when the user has an active session. We need a per-OAuth-app configuration to override this, allowing silent authentication when a valid session exists.
Context
We use Clerk as the external IdP for Shopify's new customer accounts (Plus store, headless Hydrogen storefront). The architecture:
- Storefront (
avnzor.com): users sign in via Clerk's embedded <SignIn> component
- Checkout/Account (
account.avnzor.com): Shopify's customer account system, configured with Clerk as the OIDC IdP
- Clerk OAuth app: confidential client, consent screen disabled, scopes
openid email profile offline_access
The problem: Shopify always sends prompt=login to Clerk's authorize endpoint. This forces a full re-authentication even when the user just signed in on the storefront seconds ago — creating a double sign-in experience.
What we've verified
| Test |
Result |
| Clerk FAPI session propagates to Account Portal |
✅ accounts.avnzor.com/user shows profile |
prompt=none silently issues auth code |
✅ Code issued, no UI, session survives |
prompt=login with active session |
❌ Full sign-in form shown (per OIDC spec) |
prompt=login kills the storefront session |
❌ Session survives (not the issue) |
Request
Add a per-OAuth-application setting (e.g., on the OAuth app object or via PATCH /oauth_applications/{id}) that controls how prompt=login is handled. Something like:
{
"prompt_override": "auto"
}
Where:
"strict" (default): honor prompt=login per OIDC spec (current behavior)
"auto": if the user has an active session, treat prompt=login as prompt=none (skip re-authentication); only show the sign-in form if no session exists
"none": always attempt silent auth, return login_required error if no session
This would allow IdP integrations with platforms like Shopify (which hardcode prompt=login) to work seamlessly without double sign-in.
Alternative: paths.sign_in with absolute URLs
We attempted to use the instance paths.sign_in config to redirect the OAuth sign-in flow to our own page (where we'd intercept and rewrite the prompt). However, paths.sign_in only accepts relative paths — it cannot redirect to an external domain. Supporting absolute URLs there would also solve this use case, though the per-app prompt override is cleaner.
Environment
- Clerk production instance (clerk-js v6)
- FAPI domain:
clerk.avnzor.com
- Account Portal:
accounts.avnzor.com
- OAuth app client_id:
o2eCeS5qgWCbLCIr
- Clerk CLI v2.0.0
Summary
When Clerk is used as an OIDC Identity Provider (via OAuth Applications), the
/oauth/authorizeendpoint strictly honorsprompt=login— always showing the sign-in form even when the user has an active session. We need a per-OAuth-app configuration to override this, allowing silent authentication when a valid session exists.Context
We use Clerk as the external IdP for Shopify's new customer accounts (Plus store, headless Hydrogen storefront). The architecture:
avnzor.com): users sign in via Clerk's embedded<SignIn>componentaccount.avnzor.com): Shopify's customer account system, configured with Clerk as the OIDC IdPopenid email profile offline_accessThe problem: Shopify always sends
prompt=loginto Clerk's authorize endpoint. This forces a full re-authentication even when the user just signed in on the storefront seconds ago — creating a double sign-in experience.What we've verified
accounts.avnzor.com/usershows profileprompt=nonesilently issues auth codeprompt=loginwith active sessionprompt=loginkills the storefront sessionRequest
Add a per-OAuth-application setting (e.g., on the OAuth app object or via
PATCH /oauth_applications/{id}) that controls howprompt=loginis handled. Something like:{ "prompt_override": "auto" }Where:
"strict"(default): honorprompt=loginper OIDC spec (current behavior)"auto": if the user has an active session, treatprompt=loginasprompt=none(skip re-authentication); only show the sign-in form if no session exists"none": always attempt silent auth, returnlogin_requirederror if no sessionThis would allow IdP integrations with platforms like Shopify (which hardcode
prompt=login) to work seamlessly without double sign-in.Alternative:
paths.sign_inwith absolute URLsWe attempted to use the instance
paths.sign_inconfig to redirect the OAuth sign-in flow to our own page (where we'd intercept and rewrite the prompt). However,paths.sign_inonly accepts relative paths — it cannot redirect to an external domain. Supporting absolute URLs there would also solve this use case, though the per-app prompt override is cleaner.Environment
clerk.avnzor.comaccounts.avnzor.como2eCeS5qgWCbLCIr